SI NULLUS UMOR FORNICARI EIS

I hope you’ve heard about the new EMV chipped credit.debit cards. On the one hand, they’re a definite security improvement over the older style. The original chipped cards were straight RFID-style which simply copied the mag stripe info to the RFID, which could then be read in your pocket with a home-made near-field reader. The newer EMV is an active computing device. During a transaction, it actively communicates with the card system to create what amounts to a new, temporary ‘credit card number’ for each purchase. A crook might scan your new card, but it’ll only be good for one use… if he manages to use it before you do. If you get there first with your real card, the crook’s copied transaction number will expire.

That’s something. I still recommend an RF-blocking wallet for your chipped cards, because one hacked transaction can ruin you while you straighten it out with your oh-so-cooperative credit card company or bank.

But there’s another little problem with those new cards. You have to enter a PIN for every transaction. No PIN, no good. So if someone physically steals your card, he can’t use it.

Wrong. Turns out you can hack the card so it will accept any random string as a valid PIN. As near as I can tell, this works because the system relies on the individual card to approve PINs instead of comparing the PIN entered to the PIN in the company’s database.

WTF?

OK, that’s so a processing company doesn’t have to go back to the card issuer for every transaction, because that’s complicated and would slow down the purchase process even more. But if they intend to field a card billed as secure, they better get off their butts and do it.

But believe it or not, all that wasn’t the main point. In the first article about the hack, they caught the bad guys.

By their cell phones.

The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.

Yep, they sifted through the sort of data the NSA has been collecting and matched it to otherwise unrelated activities. They didn’t just get the IMSIs of dumbasses talking on the phone while they ran hacked transactions; they got the IMSI of every phone turned on in the area.

Related

5 thoughts on “Those little details matter”

Many years ago, my bank gave away little envelopes for credit cards when they first came out with the magnetic strip. The envelopes not only prevented the strip from being scratched, it protected it from damage by magnetic sources. I saw that demonstrated independently, so used the envelop all these years. Now, the last of those envelopes have finally worn out. Given the new dangers of those cards being read/used remotely, I wanted to go even farther toward good protection.

What I’m prepared to do now is make my own. I plan to lay down a piece of aluminum foil large enough to wrap the card once, with a little overlap. I will put some thin packing tape over the foil, and then form it around the card, leaving one edge open so the card can be taken out and put back in. I may need to try it several times before I manage to create one that will do the job, but the materials are cheap and easily obtained.

Cool! I can send pictures if you like. The challenge will be to make the envelop thin enough to fit into the wallet, and thick enough to be durable. I have a mylar bag with some prep stuff in it. Maybe I’ll pour that out into something else and see if I can make envelopes out of the bag. Would that work better?

I think it would be easier to tape over aluminum foil, and wrap that around a card. But give it a try. That’s why I sprung for a blocking wallet: all cards and IDs will be converting to some sort of RFID eventually, and making a bunch of separate sleeves would be a PITA.

I bought a good wallet several years ago, and it looks like it’s going to last several more years. 🙂 Since I only have one credit card I think the envelop will be my best bet for now. And I don’t even actually carry my DL… I leave it in a shielded envelop in the glove compartment. I’ve only been asked to show it two or three times since I moved here, apart from the two times I had to “renew” it. Now there’s a silly three ring circus if there ever was one. All the information and “documentation” they demand is already a part of common public record. Just whom do they think they are fooling? LOL